Add MySQL Manager to MySQL policy module
Second submission to fix mistakes from first. Signed-off-by: Chris Richards <gizmo@giz-works.com> Signed-off-by: Chris PeBenito <cpebenito@tresys.com>
This commit is contained in:
parent
1049180cd8
commit
68cda59844
@ -140,6 +140,7 @@ network_port(msnp, tcp,1863,s0, udp,1863,s0)
|
|||||||
network_port(munin, tcp,4949,s0, udp,4949,s0)
|
network_port(munin, tcp,4949,s0, udp,4949,s0)
|
||||||
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
|
network_port(mysqld, tcp,1186,s0, tcp,3306,s0)
|
||||||
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
|
portcon tcp 63132-63163 gen_context(system_u:object_r:mysqld_port_t, s0)
|
||||||
|
network_port(mysqlmanagerd, tcp,2273,s0)
|
||||||
network_port(nessus, tcp,1241,s0)
|
network_port(nessus, tcp,1241,s0)
|
||||||
network_port(netsupport, tcp,5405,s0, udp,5405,s0)
|
network_port(netsupport, tcp,5405,s0, udp,5405,s0)
|
||||||
network_port(nmbd, udp,137,s0, udp,138,s0)
|
network_port(nmbd, udp,137,s0, udp,138,s0)
|
||||||
|
@ -6,6 +6,7 @@
|
|||||||
/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
|
/etc/my\.cnf -- gen_context(system_u:object_r:mysqld_etc_t,s0)
|
||||||
/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
|
/etc/mysql(/.*)? gen_context(system_u:object_r:mysqld_etc_t,s0)
|
||||||
/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
|
/etc/rc\.d/init\.d/mysqld -- gen_context(system_u:object_r:mysqld_initrc_exec_t,s0)
|
||||||
|
/etc/rc\.d/init\.d/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_initrc_exec_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# /usr
|
# /usr
|
||||||
@ -16,6 +17,8 @@
|
|||||||
|
|
||||||
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
|
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
|
||||||
|
|
||||||
|
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
|
||||||
|
|
||||||
#
|
#
|
||||||
# /var
|
# /var
|
||||||
#
|
#
|
||||||
@ -25,3 +28,5 @@
|
|||||||
/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
|
/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
|
||||||
|
|
||||||
/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
|
/var/run/mysqld(/.*)? gen_context(system_u:object_r:mysqld_var_run_t,s0)
|
||||||
|
|
||||||
|
/var/run/mysqld/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_var_run_t,s0)
|
||||||
|
@ -237,6 +237,26 @@ interface(`mysql_write_log',`
|
|||||||
allow $1 mysqld_log_t:file { write_file_perms setattr };
|
allow $1 mysqld_log_t:file { write_file_perms setattr };
|
||||||
')
|
')
|
||||||
|
|
||||||
|
#####################################
|
||||||
|
## <summary>
|
||||||
|
## Read MySQL PID files.
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
##
|
||||||
|
#
|
||||||
|
interface(`mysql_read_pid_files',`
|
||||||
|
gen_require(`
|
||||||
|
type mysqld_var_run_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
mysql_search_pid_files($1)
|
||||||
|
read_files_pattern($1, mysqld_var_run_t, mysqld_var_run_t)
|
||||||
|
')
|
||||||
|
|
||||||
#####################################
|
#####################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Search MySQL PID files.
|
## Search MySQL PID files.
|
||||||
|
@ -32,6 +32,21 @@ logging_log_file(mysqld_log_t)
|
|||||||
type mysqld_tmp_t;
|
type mysqld_tmp_t;
|
||||||
files_tmp_file(mysqld_tmp_t)
|
files_tmp_file(mysqld_tmp_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# MySQL Manager Declarations
|
||||||
|
#
|
||||||
|
|
||||||
|
type mysqlmanagerd_t;
|
||||||
|
type mysqlmanagerd_exec_t;
|
||||||
|
init_daemon_domain(mysqlmanagerd_t, mysqlmanagerd_exec_t)
|
||||||
|
|
||||||
|
type mysqlmanagerd_initrc_exec_t;
|
||||||
|
init_script_file(mysqlmanagerd_initrc_exec_t)
|
||||||
|
|
||||||
|
type mysqlmanagerd_var_run_t;
|
||||||
|
files_pid_file(mysqlmanagerd_var_run_t)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Local policy
|
# Local policy
|
||||||
@ -84,6 +99,7 @@ corenet_sendrecv_mysqld_client_packets(mysqld_t)
|
|||||||
corenet_sendrecv_mysqld_server_packets(mysqld_t)
|
corenet_sendrecv_mysqld_server_packets(mysqld_t)
|
||||||
|
|
||||||
dev_read_sysfs(mysqld_t)
|
dev_read_sysfs(mysqld_t)
|
||||||
|
dev_read_urand(mysqld_t)
|
||||||
|
|
||||||
fs_getattr_all_fs(mysqld_t)
|
fs_getattr_all_fs(mysqld_t)
|
||||||
fs_search_auto_mountpoints(mysqld_t)
|
fs_search_auto_mountpoints(mysqld_t)
|
||||||
@ -161,3 +177,44 @@ mysql_manage_db_files(mysqld_safe_t)
|
|||||||
mysql_read_config(mysqld_safe_t)
|
mysql_read_config(mysqld_safe_t)
|
||||||
mysql_search_pid_files(mysqld_safe_t)
|
mysql_search_pid_files(mysqld_safe_t)
|
||||||
mysql_write_log(mysqld_safe_t)
|
mysql_write_log(mysqld_safe_t)
|
||||||
|
|
||||||
|
########################################
|
||||||
|
#
|
||||||
|
# MySQL Manager Policy
|
||||||
|
#
|
||||||
|
allow mysqlmanagerd_t self:capability { dac_override kill };
|
||||||
|
allow mysqlmanagerd_t self:process signal;
|
||||||
|
allow mysqlmanagerd_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
allow mysqlmanagerd_t self:tcp_socket create_stream_socket_perms;
|
||||||
|
allow mysqlmanagerd_t self:unix_stream_socket create_stream_socket_perms;
|
||||||
|
|
||||||
|
mysql_read_config(initrc_t)
|
||||||
|
mysql_read_config(mysqlmanagerd_t)
|
||||||
|
mysql_read_pid_files(mysqlmanagerd_t)
|
||||||
|
mysql_search_db(mysqlmanagerd_t)
|
||||||
|
mysql_signal(mysqlmanagerd_t)
|
||||||
|
mysql_stream_connect(mysqlmanagerd_t)
|
||||||
|
|
||||||
|
kernel_read_system_state(mysqlmanagerd_t)
|
||||||
|
corecmd_exec_shell(mysqlmanagerd_t)
|
||||||
|
corenet_all_recvfrom_unlabeled(mysqlmanagerd_t)
|
||||||
|
corenet_all_recvfrom_netlabel(mysqlmanagerd_t)
|
||||||
|
corenet_tcp_sendrecv_generic_if(mysqlmanagerd_t)
|
||||||
|
corenet_tcp_sendrecv_generic_node(mysqlmanagerd_t)
|
||||||
|
corenet_tcp_sendrecv_all_ports(mysqlmanagerd_t)
|
||||||
|
corenet_tcp_bind_generic_node(mysqlmanagerd_t)
|
||||||
|
corenet_tcp_bind_mysqlmanagerd_port(mysqlmanagerd_t)
|
||||||
|
corenet_tcp_connect_mysqlmanagerd_port(mysqlmanagerd_t)
|
||||||
|
corenet_sendrecv_mysqlmanagerd_server_packets(mysqlmanagerd_var_run_t)
|
||||||
|
corenet_sendrecv_mysqlmanagerd_client_packets(mysqlmanagerd_var_run_t)
|
||||||
|
dev_read_urand(mysqlmanagerd_t)
|
||||||
|
files_read_etc_files(mysqlmanagerd_t)
|
||||||
|
files_read_usr_files(mysqlmanagerd_t)
|
||||||
|
|
||||||
|
miscfiles_read_localization(mysqlmanagerd_t)
|
||||||
|
userdom_getattr_user_home_dirs(mysqlmanagerd_t)
|
||||||
|
|
||||||
|
domtrans_pattern(mysqlmanagerd_t, mysqld_exec_t, mysqld_t)
|
||||||
|
filetrans_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t, { file sock_file })
|
||||||
|
manage_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
|
||||||
|
manage_sock_files_pattern(mysqlmanagerd_t, mysqld_var_run_t, mysqlmanagerd_var_run_t)
|
||||||
|
Loading…
Reference in New Issue
Block a user